320 likes | 337 Views
Audits, Investigations and Internal Controls. Presented by: Heather Lopez, Chief Audit Executive Lenka Perkins, Audit Manager. Updated March 2017. Agenda. Internal Control Who is Responsible Audits and Investigations Resources. WSU’s Strategic Plan: Vision, Mission and Values.
E N D
Audits, Investigations and Internal Controls • Presented by: • Heather Lopez, Chief Audit Executive • Lenka Perkins, Audit Manager Updated March 2017
Agenda • Internal Control • Who is Responsible • Audits and Investigations • Resources
WSU’s Strategic Plan:Vision, Mission and Values Washington State University’s mission statement includes seven values critical to achieving our goals: • Quality and excellence • Integrity, trust and respect • Research, innovation and creativity • Land-grant ideals • Diversity and global citizenship • Freedom of expression • Stewardship and accountability
How can we, as an institution and as individuals, uphold the University’s values and achieve our mission? …through a strong system of internal controls
Internal Control Internal control is a process for assuring achievement of an organization's objectives to: • encourage efficiency and effectiveness of operations. • provide for reliability in reporting. • ensure compliance with laws, regulations and University policies. Good controls enable better management of institutional risk and provide for better preparation and ability to respond to the unknown. Good controls also seek to eliminate waste, fraud and abuse and help an entity avoid damage to its reputation and other consequences.
COSO – Committee of Sponsoring Organizations of the Treadway Commission Under COSO, an organization’s internal control system is deemed effective only if all five components (along with relevant principles) are both present and functioning. It is not enough to design and implement a system of control. There must be processes to ensure continued existence and evaluation where issues are addressed as needed.
Control Environment: Formalize mission statement and objectives, set up organization chart and responsibilities (position descriptions, reporting lines, authorizations), establish performance metrics and expectations, invest in employee competency through good hiring practices and ongoing evaluation and development, hold employees accountable, establish strong ethics/positive work environments Risk Assessment: Identify unit metrics and analyze for changes, investigate fluctuations and impact to controls to enhance/revise processes as needed Control Activities: set up and enforce system access controls, levels, authorizations, segregation of duties, reconciliation Information and Communication: establish reports for review to metrics for analysis, [GI/GO], provide to necessary parties Monitoring: periodically take holistic look at program to see if meeting mission and goals – see how well you are doing
Though leadership is ultimately responsible, everyone in an entity has some responsibility for the organization’s internal controls. • All personnel should be responsible to effect internal controls and to communicate problems in operations, deviations from established standards and violations of policy or law. Internal Controls are Everyone’s Business!
Management’s Role • Management has responsibility to: • Assess risks to the organization of not meeting its objectives • Identify and develop appropriate controls to mitigate/manage identified risks • Implement controls and monitor them to ensure they are working as designed and are adequate
Audit’s Role • Auditors test to ensure the controls and processes management has established and implemented are adequate to: • Ensure compliance with applicable rules • Safeguard resources • Properly present and report activity (reliable reporting) • Provide for effectiveness and efficiency in operations
WSU Internal Audit The mission of Internal Audit is to provide within the University an independent appraisal function that measures and evaluates the efficiency and effectiveness of internal controls and operating activities. • Audits – provide assurance to management that controls are working • Investigations – focused inquiry • Liaison – external auditors • Ethics Advisor • Advisory Services – control, policy, ethics
Audits • Audits have an objective to evaluate a process, system, unit, operation, program, etc. and tests are performed to ensure the internal controls implemented by management are working as designed. • Audits yield memos or reports that provide results of tests and evaluations with recommendations for improvement. • [Internal] Audits are performed according to schedule of audits in annual audit plan – developed as a result of annual risk assessment.
Auditors and Types of Audit • Internal vs. External • State vs. Federal • Program Review • Statutory/Mandated • Accountability • Performance • Bond Covenants/Contractual • Single Audit • Financial
General Audit Process • Preliminary assessment of risks – scoping • Planning procedures – data analysis, research of audit subject, interviews • Entrance meeting with management • Fieldwork – test of controls, test of transactions, interviews and walkthroughs, observation • Closing – summarize issues noted, develop draft memo/report • Reporting
Focus on Internal Controls • Auditors evaluate the controls management has put in place to mitigate the risk of objectives not being met. If no controls or controls are inadequate – recommendations are made for improvements. • Auditors are evaluating the internal control system – review all components and how they are working together.
Investigations • Investigations are unplanned, have a specific focus and ask: Who, what, when, howand why. • Answering how: evaluate controls and gaps in controls. • Investigations yield memos or reports that provide results of test to answer the question and usually recommendations to correct the concern.
Investigators • Internal Audit: employee malfeasance, misappropriation, ethics misconduct • WSU Units: Provost (faculty research misconduct/faculty misconduct), Student Conduct Board (students), OEO, HRS, EHS, ORA • State Auditor: whistleblower (employee misconduct), fraud • Ethics Investigator: state ethics violation • Federal: (secret service, FBI, OIG, federal agency) federal whistleblower statutes, False Claims Act
Contributing Factors for Fraud/Embezzlement A strong system of internal control is the greatest fraud deterrent. Fraud Triangle • Opportunity: Poor internal controls, lack of oversight, Lack of segregation of duties, lack of clear direction on roles/authorities, poor employee morale due to management, work conditions, work load, other factors • Pressure: Employees have additional outside pressure (economy bad everywhere, personal financial pressure, etc.) • Rationalization: Employees under pressure to do more with less (affects attitude, competence and effectiveness)
“Desperate people do desperate things. Loyal employees have bills to pay and families to feed. In a good economy, they would never think of committing fraud against their employers.” 2009 Report on Occupational Fraud, ACFE Occupational Fraud: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” 2016 Report to the Nation on Occupational Fraud and Abuse, ACFE
Control Environment The Control Environment lays the foundation for the internal control system and provides the basis for carrying out internal controls across the organization. If poorly designed, executed or managed all other internal controls can crumble. A strong control environment includes oversight responsibility, strong processes and: • Commitment to integrity • Enforced accountability • Established structure, authority and responsibility • Demonstrated commitment to competence
Commitment to Integrity & Enforced Accountability • Ethics, Culture and Work Environment • Tone at the top – lead by example • Policies on standard of conduct • Avenues for reporting concerns • Conditions that impact control environment: • Leaders engaging in bad behavior – poor examples • Offenses not addressed, no consequences • Not providing or encouraging a means for employees to report wrongdoing • Rumor mill as source of “credible” information with no actions to directly address
What you can do • Ensure all employees, including managers and leaders, are aware of standards of conduct and ethics. • Provide training or means to get to training on a regular basis to reinforce as a norm. • Provide regular notices/reminders about ethics and standards and reporting avenues. • Include compliance with standards of conduct as part of employee evaluations. • Enforce consequences – do not turn a blind eye to bad behavior.
Structure, Roles and Authority • Ensure organization charts are current and include reporting lines. • Position descriptions/duties/responsibilities need to be current and clear. • Authorizations and delegations should be clearly defined. • Significant processes should be in writing.
People are Our Greatest Asset …and can be our greatest risk. • Demonstrate commitment to attracting and retaining competent employees. • Ensure PDs accurately reflect expectations for position before posting. • Ensure recruitment process and hiring personnel/committees understand desired skill sets and are trained to properly evaluate. • Do reference checks – always! • Provide opportunities for employees to gain continuing professional education to stay current and relevant in their field.
Knowledge is Power • In addition to professional development, facilitate processes to master and share institutional knowledge. • Increased meetings within departments to share: • Issues, resolution, processes employed • Brainstorm potential issues and how to overcome • Increased networking across departments and functions to share: • Common issues and resolutions
Employee Empowerment and Awareness • Give employees information they need to make their own decisions whenever possible. • They need to know to question if something is not right or unusual – they are part of system of control. • Make sure employees are familiar with not only their respective duties, but ethics laws, basic internal controls, and how what they do relates to other processes. • Employees need to know resources available to them – through peer networks, online, professional associations, WSU departments and employees.
Resources • WSU Internal Audit – 5-5336, ia.central@wsu.edu • COSO Framework (2013) – www.coso.org • SAO (Whistleblower program, Audits, Investigations) – http://www.sao.wa.gov